This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.
Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
It looks like some Windows NDIS drivers (e.g., Intel) do not clear the
PMKID list even when wpa_supplicant explicitly sets the list to be
empty. In such a case, the driver ends up trying to use PMKSA caching
with the AP and wpa_supplicant may not have the PMK that would be needed
to complete 4-way handshake.
RSN processing already had some code for aborting PMKSA caching by
sending EAPOL-Start. However, this was not triggered in this particular
case where the driver generates the RSN IE. With this change, this case
is included, too, and the failed PMKSA caching attempt is cleanly
canceled and wpa_supplicant can fall back to full EAP authentication.
It looks like Qt does not support SVG format by default on Windows and
it was not trivial to add the plugin into the build, so for now, build a
16x16 PNG icon file for Windows binary to avoid showing an invisible
icon in the tray.
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:
engine2
engine2_id
pin2
and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.
Find attached the patch that creates a new driver: roboswitch. This
driver adds support for wired authentication with a Broadcom
RoboSwitch chipset. For example it is now possible to do wired
authentication with a Linksys WRT54G router running OpenWRT.
LIMITATIONS
- At the moment the driver does not support the BCM5365 series (though
adding it requires just some register tweaks).
- The driver is also limited to Linux (this is a far more technical
restriction).
- In order to compile against a 2.4 series you need to edit
include/linux/mii.h and change all references to "u16" in "__u16". I
have submitted a patch upstream that will fix this in a future version
of the 2.4 kernel. [These modifications (and more) are now included in
the kernel source and can be found in versions 2.4.37-rc2 and up.]
USAGE
- Usage is similar to the wired driver. Choose the interfacename of
the vlan that contains your desired authentication port on the router.
This name must be formatted as <interface>.<vlan>, which is the
default on all systems I know.
Remove the old code from driver_wext.c since the private ioctl interface is
never going to be used with mac80211. driver_nl80211.c has an
implementation than can be used with mac80211 (with two external patches to
enable userspace MLME configuration are still required, though).
Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
GCC 4.4 cleaned up some more C++ headers. You always have to #include
headers directly and cannot rely for things to be included indirectly.
> g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DCONFIG_CTRL_IFACE
-DCONFIG_CTRL_IFACE_UNIX -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED
-I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore
-I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtGui
-I/usr/include/qt4 -I. -I.. -I../../src/utils -I../../src/common -I.moc -I.ui -o
.obj/wpagui.o wpagui.cpp
> wpagui.cpp: In constructor 'WpaGui::WpaGui(QWidget*, const char*,
Qt::WFlags)':
> wpagui.cpp:98: error: 'printf' was not declared in this scope
From: Martin Michlmayr <tbm@cyrius.com>
Bug: http://bugs.debian.org/505041
Signed-off-by: Kel Modderman <kel@otaku42.de>
delaying Michael MIC error reports by a random amount of time between 0 and
60 seconds if multiple Michael MIC failures are detected with the same PTK
(i.e., the Authenticator does not rekey PTK on first failure report). This
is disabled by default and can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config.
This may help in making a chopchop attack take much longer time by forcing
the attacker to wait 60 seconds before knowing whether a modified frame
resulted in a MIC failure.
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).
With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
This may be needed if the AP does not disconnect in case of EAP-FAST
unauthenticated provisioning (EAP-Failure). Adding the local short timeout
will speed up the process in such a case by reducing the wait (which can
often be up to 60 seconds).
This allows identity (etc.) variables to be removed from configuration
which is different from setting them to an empty string. For example,
EAP-SIM and EAP-AKA can now be configured to use identity string generation
from SIM/USIM by clearing the identity string in wpa_gui.
Setting the value of the SET_NETWORK command to NULL (without quotation)
unsets the variable, i.e., removes it from configuration file. This is
needed to allow GUI programs to clear variables, e.g., identity for
EAP-AKA/SIM.
Allow application to be started in the system tray only when started with
the `-t' command line argument.
Signed-off-by: Kel Modderman <kel@otaku42.de>
When the system tray icon is created, qApp's setQuitOnLastWindowClosed
property is set to false, therefore do _not_ ignore widget close events, or
else wpa_gui will refuse to exit when the window manager is logging out.
While at it, remove WpaGui::fileExit() and connect fileExitAction to
quit().
Signed-off-by: Kel Modderman <kel@otaku42.de>
A bug just got reported as a result of this for mac80211 drivers.
https://bugzilla.redhat.com/show_bug.cgi?id=459399
The basic problem is that since taking the device down clears the keys
from the driver on many mac80211-based cards, and since the mode gets
set _after_ the keys have been set in the driver, the keys get cleared
on a mode switch and the resulting association is wrong. The report is
about ad-hoc mode specifically, but this could happen when switching
from adhoc back to managed mode.
This function was getting way too long, so let's split it into WPA and
non-WPA cases as separate functions. In addition, remove the confusing
"Try to find non-WPA AP" debug message if a WPA-enabled AP is already
selected (as reported by Andriy Tkachuk).
but still show a one time tray message to indicate to the user that the
program is still running in the tray if they triggered the window manager
close button.
Signed-off-by: Kel Modderman <kel@otaku42.de>
Do not connect lastWindowClosed() to quit(), instead explicitly close the
application if File->Exit or window manager close button is activated.
This allows the tray app to avoid being closed with last visible window,
and launch scan and event history windows individually.
Signed-off-by: Kel Modderman <kel@otaku42.de>
Enhance the wpa_gui-qt4 icon:
* removed unused layer
* moved spurious rectangle back where it belongs
* removed flat edge from top of the lower white glow object
Signed-off-by: Bernard Gray <bernard.gray@gmail.com>
mlme.c: In function 'ieee80211_rx_mgmt_action':
mlme.c:1990: warning: implicit declaration of function
'ieee80211_rx_mgmt_ping_action'
...
mlme.o(.text+0x3007): In function `ieee80211_sta_rx':
/home/ant/hostap/hostap06/hostap/wpa_supplicant/mlme.c:1990: undefined reference
to `ieee80211_rx_mgmt_ping_action'
collect2: ld returned 1 exit status
When the initial scan is made, just the cached results from the driver
are used. If this is empty, it's useless to post the results since
another scan is being scheduled immediately. This just causes extra
processing from listeners for no gain.
The scan path to initiate another scan if the initial association failed
was broken due to wpa_s->scan_req being zeroed earlier in
wpa_supplicant_scan(). This caused the second scan to bail out early
since it thought this was not a requested scan.
Add system tray icon support to wpa_gui-qt4. The tray icon remains quiet
when the main dialog is visible, so it should not cause too much pain for
more conservative users of wpa_gui. The addition involves the following
changes:
* when closing wpa_gui via window manager close box, wpa_gui close event is
ignored and it is minimised to system tray. A status message is displayed
(or popup dialog box if tray messages are not supported) to provide a
visual hint that the program is still running in the background.
* add File->Exit slot handler to facilitate application quit from main
dialog
* provide a context menu with a short list of useful actions
* show/hide main dialog when icon is triggered (single click)
* ensure main dialog is visible when event handler or scan results is
chosen from tray icon context menu
* show tray messages on connected and disconnected events, display a status
message a few seconds after connected events
Signed-off-by: Kel Modderman <kel@otaku42.de>
When integrating the new art, this UI entry:
<pixmapfunction>qPixmapFromMimeSource</pixmapfunction>
Caused the following error:
.obj/wpagui.o: In function `Ui_WpaGui::setupUi(QMainWindow*)':
wpagui.cpp:(.text._ZN9Ui_WpaGui7setupUiEP11QMainWindow[Ui_WpaGui::setupUi(QMainWindow*)]+0xd3): undefined reference to `qPixmapFromMimeSource(QString const&)'
collect2: ld returned 1 exit status
Removing qPixmapFromMimeSource seems to have no unwanted side effects, and
allows successful build again. Research leads me to believe it depends on
Qt3Support, which we do not want.
Signed-off-by: Kel Modderman <kel@otaku42.de>
Introducing an original wpa_gui icon, in svg format, with Makefile for
easy conversion to other icon formats. The icon is thanks to Bernard Gray.
Signed-off-by: Bernard Gray <bernard.gray@gmail.com>
Signed-off-by: Kel Modderman <kel@otaku42.de>
IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for
key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new
AKMPs and clean up AKMP processing with helper functions in defs.h.
This updates management frame protection to use the assocition ping process
from the latest draft (D6.0) to protect against unauthenticated
authenticate or (re)associate frames dropping association.
This adds most of the new frame format and identifier definitions from IEEE
802.11w/D6.0. In addition, the RSN IE capability field values for MFP is
replaced with the new two-bit version with MFPC (capable) and MFPR
(required) processing.
This adds some parts needed to use usermode MLME with the current mac80211
(plus a patch to add a new cfg80211 command; not yet submitted to
wireless-testing). This version creates a monitor interface for management
frames and is able to send Probe Request frames during scan. However, it
looks like management frame reception is not yet working properly. In
addition, mlme_{add,remove}_sta() handlers are still missing.
wpa_sm_set_config() can be called even if the network block does not
change. However, the previous version ended up calling
pmksa_cache_notify_reconfig() every time and this cleared the network
context from PMKSA cache entries. This prevented OKC from ever being used.
Do not call pmksa_cache_notify_reconfig() if the network context remains
unchanged to allow OKC to be used.
When scan results got moved from wpa_scan_result -> wpa_scan_res, the
'maxrate' member was dropped from wpa_scan_res. The D-Bus interface
used 'maxrate', which was replaced with wpa_scan_get_max_rate().
Unfortunately, wpa_scan_get_max_rate() returns 802.11 rate values
directly from the IE, where 'maxrate' was the rate in bits/second. The
supplicant internally fakes an IE for wpa_scan_res from the value of
wpa_scan_result->maxrate, but interprets ->maxrate as an 802.11 rate
index.
As a side-effect, this fixes a soft-break of the D-Bus control API since
the wpa_scan_res change was introduced.
Function 'wpa_sm_set_config' used the argument 'config' as the network
context which is a pointer to a local variable of the function
'wpa_supplicant_rsn_supp_set_config'.
This is one reason why no proactive key was generated. This network
context never matched with the network context saved in the pmksa cache
entries.
The structure 'rsn_supp_config' has already a member 'network_ctx' which
is now filled in by this patch with 'ssid'.
Signed-off-by: Michael Bernhard <michael.bernhard@bfh.ch>
Documentation appeared a little vague about which options are global and
which are tied to a particular interface. This leads to confusion when
using certain combinations of options, e.g. the command "wpa_supplicant
-c /etc/wpa_supplican.conf -u" will not do what is intuitively expected
from it - it will not read the config file given with -c option because
no -i option was given. This command is still valid because -u option is
used. The wpa_supplicant running like this will also not listen on any
control socket, because the socket file name is usually given in the
config file. This command line also happens to be the default in Fedora 9.
This patch does not try to change any behaviour, but rather document
these nuances clearly.
This avoids getting stuck in state where wpa_supplicant has canceled scans,
but the driver is actually in disassociated state. The previously used code
that controlled scan timeout from WPA module is not really needed anymore
(and has not been needed for past four years since authentication timeout
was separated from scan request timeout), so this can simply be removed to
resolved the race condition. As an extra bonus, this simplifies the
interface to WPA module.
[Bug 261]
driver_nl80211.c is based on driver_wext.c and it is still using Linux
wireless extensions for many functions. Over time, the new driver interface
code should be modified to use nl80211/cfg80211 for everything.
This was not accurate since this was mostly based on total runtime of an
eapol_test run. The real improvement in the bignum routines is much larger
(mayby twice as fast as before).
CONFIG_INTERNAL_LIBTOMMATH_FAST=y in .config can now be used to enable all
optimized routines at a cost of about 4 kB. This is small enough increase
in size to justify simplified configuration.
At the cost of about 1 kB of additional binary size, the internal
LibTomMath can be configured to include faster div routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_DIV=y in
.config.
At the cost of about 0.5 kB of additional binary size, the internal
LibTomMath can be configured to include faster sqr routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_SQR=y in
.config.
Depending on how the driver implements IBSS searching and creation, it
may need to perform one or more scans before successfully completing the
association operation. Therefore, increase the timeout for IBSS
association operations so that the supplicant doesn't interrupt the
driver as much.
Add a cost of about 2.5 kB of additional cost, the internal LibTomMath can
be configured to include fast exptmod routine to speed up DH and RSA.
This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_EXPTMOD=y in
.config.
In situations where the driver does background scanning and sends a
steady stream of scan results, wpa_supplicant would continually
reschedule the scan. This resulted in specific SSID scans never
happening for a hidden AP, and the supplicant never connecting to the AP
because it never got found. Instead, if there's an already scheduled
scan, and a request comes in to reschedule it, and there are enabled
scan_ssid=1 network blocks, let the scan happen anyway so the hidden
SSID has a chance to be found.
The internal TLS implementation can now use both PKCS #1 RSA private key
and PKCS #8 encapsulated RSA private key. PKCS #8 encrypted private key is
not yet supported.
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).
Explain that wpa_supplicant supports a variety of drivers, but only a
subset of them are chosen at compile time.
Signed-off-by: Kel Modderman <kel@otaku42.de>
Allow the user to set the IP address of the eapol_test client. This if
very useful when you have a machine with many interfaces and want to use a
particular one for testing RADIUS connectivity. For instance when I run the
national eduroam proxy I can only connect to other server from a particular
address, an our machine happens to have several IPs. So if I want to run
connectivity tests, I must make sure that my test uses a particular
interface. The -A option allows one to set this).
(jm: cleaned up to use radius configuration structure instead of global
variable for the address and added IPv6 support)